11 ISSUE : 02 PAGE : TERMINOLOGIE / TERMINOLOGY Activation Data Private data, other than keys, that are required to access cryptographic modules. Authority A list of revoked sub-cas and CAs Certificates published by the current Revocation List Thales Alenia Space Root CA. (ARL) Certificate A digital certificate is a signed data structure that binds one or more attributes of an entity with its corresponding public key. By being signed by a recognized and trusted authority (i.e. the Certification Authority) a digital certificate provides assurance that a particular public key belongs to a specific entity (and that the entity possesses the corresponding private key). The certificate format is in accordance with ITU Recommendation X.509. Certificate are documents that define the rules, procedures and practices to be Policies (CP) and employed in the use, administration and management of certificates within Certification a PKI environment. The CP contains rules and obligations to be fulfilled. Practice The CPS describes the concrete processes implemented to respect these Statements (CPS) rules. Certificate Revocation List (CRL) Certification Authority (CA) Certification Authorization Certificate repository Cross-Certificate Data Integrity Department Digital Signature A list maintained by a Certification Authority of the certificates which it has issued that have been revoked before their natural expiry time. Certification Authorities are the people, processes and tools responsible for the creation, issue and management of public-key certificates used within a PKI. Authorization for a Subscriber to request an Thales Alenia Space Certificate. A database or other storage component, which is accessible to all users of a PKI, within which public-key certificates, certificate revocation information and policy information can be held. A certificate used to establish a trust relationship between two Certification Authorities. Each CA certifies the public key of the other CA and trusts the certificates that have been issued by the other CA as its own issued certificates. Assurance that the data are unchanged from creation to reception. A department is a subset of any organization identified by Thales Alenia Space HQ. The result of a transformation of a message by means of a cryptographic system using keys such that a person who has the initial message can determine: - Whether the transformation was created using the key that corresponds to the signer s key and

12 ISSUE : 02 PAGE : 10 - Whether the message has been altered since the transformation was made Employee End-Entity Entity FIPS Issuing CA ITSEC Key Pair MD5 Object Identifier (OID) Organization PIN Policy Policy (PA) Private Key Public Key Authority Public Key Infrastructure (PKI) PKI client software PKI-enabled applications An employee is any person employed by an Thales Alenia Space unit. An Entity that uses the keys and Certificates created within the PKI for purposes other than the management of these keys and Certificates. An End-Entity may be a Subscriber or a Relying-Party. Any autonomous element within the Public Key Infrastructure. This may be a CA, an RA or an End-Entity. Federal Information Processing Standards. In the context of a particular certificate, the issuing CA is the CA that signed and issued the certificate. Information Security Technology Evaluation Criteria a Public Key and the corresponding Private Key One of the message digest algorithms developed by RSA Data Security, Inc. The unique alphanumeric/numeric identifier registered according to the ISO registration standard to reference a specific object or object class. In the Thales Alenia Space PKI it is used to identify uniquely each of the 2 policies and cryptographic algorithms supported. An Thales Alenia Space organization identified by Thales Alenia Space HQ. Personal Identity Number a secret code that can be used as activation data Certificate Policies and Certification Practice Statements are policy documents that define the procedures and practices to be applied in the use, the administration and the management of certificates within a PKI. An Thales Alenia Space body responsible for setting, implementing, and administering policy decisions regarding CP and CPS throughout the Thales Alenia Space PKI. The key kept secret by its owner. Associated with the corresponding Public Key within a Key Pair. The key is included in the Certificate and is published. Matching with its Private Key to form a Key Pair. A set of policies, processes, server platforms, software and workstations used for the purpose of administering certificates and keys. Client-side software required to ensure that PKI-entities are able to make full use of the key and digital certificate management services of a PKI (e.g. key creation, automatic key update and refreshment) Software applications which have been modified to enable their use within a PKI. Typically this involves modifying an application so that it becomes compatible with the use of digital certificates (e.g. to authenticate a remote user and authenticate itself to a remote user)

13 ISSUE : 02 PAGE : 11 PKI Operator System A person with the following roles: - Configuration and maintenance of the CA system hardware and software, - Configuration of CA Security policies, - Commencement and cessation of CA services PKI Administrator with the following roles : - Management of the Subscriber initialization process - Creation, renewal or revocation of certificates - Distribution of tokens (where applicable) Registration Authority (RA) Relying Party Root CA Routine Rekey SHA-1 Sponsor Sub CA Subscriber Trusted CA Registration Authorities are the people, the processes and the tools that are responsible for authenticating the identity of new entities (users or computing devices) requiring certificates from CAs. They act as agents of CAs (and can carry out some of the functions of a CA if required). Entity trusting the Certificates signed by the Thales Alenia Space Internal CA to, but not limited to, authenticate Digital Signatures, to check documents integrity or to encrypt communications to the Certificate subject. The self signed CA signing the sub CAs (for instance the Internal or B to B CA) Certificates. Procedure which is used to generate a new key-pair for an entity as the previous key-pair is about to expire.. One of the message digest algorithms In the Thales Alenia Space PKI, a sponsor is a department or an employee s manager that has nominated a specific individual or organization to be issued with a certificate. A CA, which Certificate is signed by the Root CA Private Key. Individual or application to whom the CA has issued a signature A CA recognized by the Thales Alenia Space Internal CA as issuing Certificates respecting satisfying standards of quality and security. 3.4 ABREVIATIONS / ABBREVIATIONS ARL CA CMA CPS CRL DMS DN DSA I&A LDAP ISO OID PKI Authority Revocation List Certification Authority Certificate Manufacturing Authority Certification Practice Statement Certificate Revocation List Document Management System Distinguished Name Digital signature algorithm Identification and Authentication Lightweight Directory Access Protocol International Standards Organization Object Identifier Public Key Infrastructure

14 ISSUE : 02 PAGE : 12 PMA Policy Management Authority RA Registration Authority X.500 The ITU-T (International Telecommunication Union-T) standard that establishes a distributed, hierarchical directory protocol organized by country, region, Organization, etc. 3.5 CONVENTIONS Paragraphs preceded by symbol "F" gives information of how to satisfy requirements specified just above. 4. INTRODUCTION 4.1 OVERVIEW This document contains the rules governing the use of Thales Alenia Space centralized signature certificates among those parties involved in the Public Key Infrastructure described by this policy, namely PKI service provider and end entities. PKI Service Provider is consisted of : Policy Management Authority, Issuing Certification Authorities, Registration Authorities and Repositories End Entities are consisted of : Certificate Holders and Authorized Relying Parties This document describes the roles, responsibilities, and relationships of the PKI Service Providers and End Entities (collectively Participants ), and the rules and requirements for the issuance, acquisition, management, and use of TASCS Certificates to verify Digital Signatures. This document also describes the practices TASCS follows in issuing and managing certificate, and to inform potential users of TASCS certificates about what they need to know prior to relying on TASCS-issued certificates. 4.2 NEEDS AND CONSTRAINTS OVERVIEW Thales Alenia Space provides to all its employees a service allowing to digitally sign very easily electronic documents. This signature service, called Thales Alenia Space Centralized Signature (TASCS) service shall be integrated to Thales Alenia Space business tools, such as its document management system.

15 ISSUE : 02 PAGE : 13 This signature service must be very simple to deploy, to maintain, to administrate and to use, taking into account the large employees number. The TASCS must be implemented with the international norms representing state of the art. 4.3 TASCS PRINCIPLES ET ARCHITECTURE OVERVIEW Digital signature relies on X.509 certificates delivered by a PKI. Because classical certificate enrollment process may be tedious for this purpose and not satisfy Thales Alenia Space requirements, TASCS service relies on a PKI called TASCS PKI, issuing automatically and centralizing certificates for all Thales Alenia Space users according to TAS common directory (SIPRO). Thales Alenia Space SIPRO users SIPRO Thales Alenia Space Centralized Signature CA Thales Alenia Space Centralized Signature Service Secure Certificate Store Thales Alenia Space DMS users DMS Figure 1: TASCS architecture overview When signing, users do not have to request a certificate, nor have a specific signature tool. The TASCS service relies on a dedicated PKI, named TASCS (Thales Alenia Space Centralized Signature) PKI, automatically creating and renewing certificates and keys for all Thales Alenia Space internal users. When creating certificates, TASCS CA gets information on users (name, address, status, ) from the TAS common directory (SIPRO). SIPRO is updated by human resource team. It is supposed to contain the most up-to-date and reliable information.

16 ISSUE : 02 PAGE : 14 TASCS CA stores users certificates and keys in a secure certificate store. This store is only accessed by TASCS service that uses keys only when signing a document after authenticating the users for each signature apposition. 4.4 IDENTIFICATION An Object IDentifier (OID) will be included upon identification by the Policy Authority. 4.5 COMMUNITY AND APPLICABILITY This certificate policy has satisfied the general public key certificate needs and constraints of Thales Alenia Space for digital signature Certification authorities A CA operating under this policy is responsible for: Creating and Signing certificates binding Subscribers with their digital signature keys, Promulgating certificate status through CRLs, Ensuring adherence with this certificate policy. A CA ensures that there is at least one Certificate and CRL repository associated with this policy Registration authorities As far as certificates are automatically created for users (cf. 4.3), there is no RA. This section is not applicable End entities Subscribers within TASCS PKI are issued to Thales Alenia Space users referenced and activated in Thales Alenia Space Common directory (SIPRO). TASCS service is available from Thales Alenia Space site Applicability This CPS applies to all TASCS PKI participants, including Thales Alenia Space users, customers, resellers and relying parties involved in document signature process.

17 ISSUE : 02 PAGE : 15 TASCS certificates are only used for digital signature. Applications using these certificates are: TASCS service for signature apposition signature verification tools 4.6 CONTACT DETAILS Specification administration organization The Thales Alenia Space Corporate Information System Security Officer (ISSO) is responsible for this document and for applying this CP and CPS Contact person The contact person for this policy is the Thales Alenia Space ISSO Person determining CPS suitability for the policy The Thales Alenia Space ISSO is responsible for determining CPS suitability for this policy. 5. GENERAL PROVISIONS [PROV] 5.1 OBLIGATIONS CA obligations Reference PKI-SP0007-PROV-001 : A CA will operate in accordance with its Certificate Practice Statement (CPS), with this Certificate Policy (CP), and with Thales Alenia Space standards when issuing and managing the keys. Reference PKI-SP0007-PROV-002 : The CA will ensure that the RA operating on its behalf will comply with the relevant provisions of this CP concerning the operation of RA. Reference PKI-SP0007-PROV-003 : A CA shall take all reasonable measures to ensure that Subscribers are aware of their respective rights and obligations regarding the operation and management of any keys, certificates, or End- Entity hardware and software used in connection with the PKI. Reference PKI-SP0007-PROV-004 : A CA must:

18 ISSUE : 02 PAGE : 16 Publish this document, Have in place mechanisms and procedures to ensure subscribers are aware of and agree to abide by the stipulations in this document Ensure that its certification services are in accordance with this document Notification of revocation of certificates Reference PKI-SP0007-PROV-005 : A CA must make CRLs available to a Subscriber or Relying Party in accordance with Section Accuracy of representations Reference PKI-SP0007-PROV-006 : A CA will provide to each Subscriber notice of the Subscriber s rights and obligations under this Certificate Policy. Such notice will include a description of the permitted uses of certificates issued under this CP, the Subscriber s obligations concerning key protection, and procedures for communication between the Subscriber and the RA, including communication of changes in service delivery or changes to this policy. Such notice will also indicate procedures to address suspected key compromise, certificate or key renewal, service cancellation, and resolution of disputes. F At certificate generation time, the CA takes information from TAS common directory (SIPRO) which contains the most reliable information on Subscribers (first name, last name, address, status). SIPRO is updated every day with information coming from Human Resource management tool. The CA checks every day the validity of the Subscriber information. It compares information from TAS common directory and the generated certificates. The checked information are information in certificate subject of the subscriber (cf. 10.1). If there is a difference, CA automatically renews the certificate for this user. Reference PKI-SP0007-PROV-007 : A CA will ensure that any notice includes a description of a Relying Party s obligations with respect of use, verification, and validation of certificates Time between request for a certificate and the issue thereof Not applicable.

19 ISSUE : 02 PAGE : Revocation and renewal of certificates Reference PKI-SP0007-PROV-008 : A CA will ensure that procedures concerning the expiry, revocation, or re-issue of a certificate will be compliant with the relevant provisions of this CP and will be expressly stated in its CPS, the Subscriber Agreement, or any other applicable document outlining the terms and conditions of the certificate use. Reference PKI-SP0007-PROV-009 : A CA will also ensure that notice of revocation of a certificate will be posted to the CRL within the time limits stated in and The address of the CRL must be defined in the certificate Protection of private keys Reference PKI-SP0007-PROV-010 : A CA will ensure that its private keys and its activation data are protected in accordance with Sections 4 and 9. Reference PKI-SP0007-PROV-011 : A CA will ensure that the private keys that it holds or stores, and the activation data are protected in accordance with Sections 7 and 9. Reference PKI-SP0007-PROV-012 : A CA will ensure that any private keys for the confidentiality of a Subscriber that have been backed-up or archived are protected in accordance with Section Restrictions on the use of an issuing CA's private key Reference PKI-SP0007-PROV-013 : A CA will ensure that its certificate signing private key is used only to sign certificates and CRLs. A CA may issue certificates to Subscribers. A CA may also recognize other CAs when expressly authorized by the Thales PA RA obligations Not applicable.

20 ISSUE : 02 PAGE : Subscriber obligations Reference PKI-SP0007-PROV-014 : The Subscriber is obliged to enter into an agreement or abide by an acceptable use policy which outlines the terms and conditions of use of the certificates and keys, including permitted applications and purposes. This agreement may be read during signature process Accuracy of representations Not applicable Protection of subscriber private key and key token Not applicable Restrictions on use of private keys by subscribers Reference PKI-SP0007-PROV-015 : The Subscriber will use the keys and certificates only for the purposes authorized by this policy. F This requirement is conformed in so far as only TASCS service accesses subscriber private keys Notification if private keys are compromised Reference PKI-SP0007-PROV-016 : If a Subscriber suspects that a private key has been compromised, he or she must immediately notify the CA in the manner Relying party obligations The rights and the obligations of a Relying Party who is a member of this PKI are covered by this policy Use of certificates for appropriate purpose Reference PKI-SP0007-PROV-017 : Before using a Subscriber s certificate, a Relying Party must ensure that it is appropriate for the intended use.

THE WALT DISNEY COMPANY PUBLIC KEY INFRASTRUCTURE CERTIFICATE POLICY July 2011 Version 2.0 Copyright 2006-2011, The Walt Disney Company Version Control Version Revision Date Revision Description Revised

.509 Certification Practices Statement for the U.S. Government Printing Office Principal Certification Authority (GPO-PCA) June 11, 2007 FINAL Version 1.6.1 FOR OFFICIAL USE ONLY SIGNATURE PAGE U.S. Government

Certificate Policy for the Government Public Key Infrastructure Version 1.7 Administrative Organization: National Development Council Executive Organization: ChungHwa Telecom Co., Ltd. January 31, 2013

CERTIFICATION PRACTICE STATEMENT Document version: 1.2 Date: 15 September 2007 OID for this CPS: None Information in this document is subject to change without notice. No part of this document may be copied,

Preface This Key Recovery Policy (KRP) is provided as a requirements document to the External Certification Authorities (ECA). An ECA must implement key recovery policies, procedures, and mechanisms that

SWIFT SWIFT Qualified Certificates Certificate Policy This Certificate Policy applies to Qualified Certificates issued by SWIFT. It indicates the requirements and procedures to be followed, and the responsibilities

American International Group, Inc. DNS Practice Statement for the AIG Zone Version 0.2 1 Table of contents 1 INTRODUCTION... 6 1.1 Overview...6 1.2 Document Name and Identification...6 1.3 Community and

CA Certificate Policy SCHEDULE 1 to the SERVICE PROVIDER AGREEMENT This page is intentionally left blank. 2 ODETTE CA Certificate Policy Version Number Issue Date Changed By 1.0 1 st April 2009 Original

TC TrustCenter GmbH Certification Practice Statement NOTE: The information contained in this document is the property of TC TrustCenter GmbH. This Certification Practice Statement is published in conformance

Certification Practice Statement March 2009 1. Overview 1.1 What is a Certification Practice Statement? A certification practice statement is a statement of the practices that a Certification Authority

Equens Certificate Policy WebServices and Connectivity Final H.C. van der Wijck 11 March 2015 Classification: Open Version 3.0 Version history Version no. Version date Status Edited by Most important edit(s)

SYMANTEC NON-FEDERAL SHARED SERVICE PROVIDER PKI SERVICE DESCRIPTION I. DEFINITIONS For the purpose of this Service Description, capitalized terms have the meaning defined herein. All other capitalized

Title INDEPENDENT AUDIT REPORT BASED ON THE REQUIREMENTS OF ETSI TS 101 456 Customer Aristotle University of Thessaloniki PKI (www.pki.auth.gr) To WHOM IT MAY CONCERN Date 18 March 2011 Independent Audit

Certificate Policy for the United States Patent and Trademark Office November 26, 2013 Prepared by: United States Patent and Trademark Office Public Key Infrastructure Policy Authority This page is intentionally

REVENUE ON-LINE SERVICE CERTIFICATE POLICY Document Version 1.2 Date: 15 September 2007 OID for this CP: 1.2.372.980003.1.1.1.1.1 No part of this document may be copied, reproduced, translated, or reduced

CERTIFICATION PRACTICE STATEMENT UPDATE Reference: IZENPE-CPS UPDATE Version no: v 5.03 Date: 10th March 2015 IZENPE 2015 This document is the property of Izenpe. It may only be reproduced in its entirety.

X.509 Certification Practice Statement for the Australian Department of Defence Version 5.1 December 2014 Document Management This document is controlled by: Changes are authorised by: Defence Public Key

TC TrustCenter GmbH Certificate Policy for SAFE NOTE: The information contained in this document is the property of TC TrustCenter GmbH. This Certificate Policy is published in conformance with international